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1. (Cuirently Amended) A method for automatically creating a record for one or more 
computer security incidents and reactions thereto, comprising the steps of: 

recording computer security incident information with at least one of a date and time 
stamp, the computer security incident information indicating one of suspicious computer activity 
comprising one or more attacks received from a network computer that occur prior to a computer 
security threat and an actual computer security threat; 

classifying the computer security incident information; 

automatically suggesting [[a]} one or more computer security threat procedure 
procedures based on a classification of the computer security incident information; 

providing data to onablo diopfay displaying [[of]] the, one or more suggested computer 
security threat pfeeedure procedures, eat * computer security threat procedure comprising one or 
more steps for one of investigating and responding to the computer security incident information; 

receiving a selection of a suggested cotTmuter security threat procedure from a user 
tfw> election comprising one or more steps of [[a]) the selected computer security threat 
procedure; 

executing the selected one or more steps of the computer security threat procedure; 

in response to executing the one or more steps of the selected computer security threat 
procedure, recording executed computer security threat procedure information and results of the 
executed one or more steps of the computer security threat procedure with at least one of a date 
and time stamp; and 

outputting a record comprising the computer security incident information, executed 
computer security threat procedure information, results of one or more steps of the executed 
computer security threat procedure, an identity of [[a]] the user who selected the computer 
security threat procedure, and at least one of a corresponding date stamp and time stamp. 

2. (Original) The method of Claim 1, wherein the record comprises an unmodifiable, 
permanent database. 
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3. (Previously Amended) The method of Claim 1, further comprising the step of 
recording the results of the executed computer security threat procedure with a digital signature 
to enable detection of any modification of the recorded results, whereby integrity of the recorded 
results can be monitored. 

4. (Previously Amended) The method of Claim 1, further comprising the step of 
extracting information from the results of an executed computer security threat procedure. 

5. (Previously Amended) The method of Claim 4, further comprising the step of 
describing a computer security incident with said extraction ^formation. 

6. (Previously Amended) The method of Claim 1, further comprising the step of 
displaying information for a particular computer security incident to more than one user. 

7. (Original) The method of Claim 1, further comprising the step of prepopulating fields 
of a record of a first program module from a second program module. 

8. (Previously Amended) The method of Claim 1 , further comprising the steps of : 
receiving computer security incident information from a first program module; 
processing the computer security incident information with a second program 

module; and 

forwarding the processed computer security incident information from the second 
program module to a third program module. 

9. (Previously Amended) The method of Claim 1 7 wherein the step of receiving a 
selection of a computer security threat procedure comprises automatically selecting a computer 
security threat procedure with a program module. 

10. (Cancelled) 
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11. (Original) The method of Claim 1, wherein each step is performed automatically by 
a program module. 

12. (Original) The method of Claim 1, wherein some of the steps are performed 
automatically by a program module. 

13. (Original) The method of Claim 1, further comprising the step of displaying reports 
comprising one or more computer security incidents. 

14. (Previously Amended) The method of Claim 1, wherein the results of an executed 
computer security threat procedure comprise at least one of text, numbers, images, or formatted 
documents. 

15. (Previously Amended) The method of Claim 1, further comprising the step of 
predicting future actions of a source of a computer security incident, 

16. (Previously Amended) The method of Claim 1, further comprising the step of 
identifying the source of a computer security incident. 

17. (Previously Amended) The method of Claim 1, further comprising the step of 
sorting decoy or false computer security incidents from actual computer security incidents. 

18. (Previously Amended) The method of Claim 1, further comprising the step linking a 
first computer security threat procedure to a second computer security threat procedure. 

19. (Original) The method of Claim 1, further comprising the step of determining the 
authorization level of a user. 

20. (Previously Amended) The method of Claim 1, wherein the step providing data to 
enable display of a computer security threat procedure further comprises the step of providing 
data for enabling display of one or more steps of a computer security threat procedure. 
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21. (Previously Amended) The method of Claim 1, further comprising the steps of: 

providing data to enable display of a computer security threat response procedure; 
executing the computer security threat response procedure; and 
in response to executing the response computer security threat procedure, recording 
executed computer security threat response procedure infoTmation and results of the executed 
computer security threat response procedure with at least one of a date and time stamp. 

22. (Previously Amended) The methodof Claim 1, farther comprising the steps of: 

providing data to enable display of a computer security threat investigation 

procedure; 

executing the computer security threat investigation procedure; and 
in response to executing the computer security threat investigation procedure, 
recording executed computer security threat investigation procedure information and results of 
the executed computer security threat investigation procedure with at least one of a date and time 
stamp. 

23. (Previously Amended) The method of Claim 21, wherein the step of providing data 
to enable display of the computer security threat response procedure further comprises the step of 
providing data to enable display of one or more steps of the computer security threat response 
procedure. 

24. (Previously Amended) The method of Claim 1, further comprising the step of 
providing data to enable display of results of the executed computer security threat procedure. 

25. (Previously Amended) The method of Claim 23, further comprising the step of 
providing data to enable display of results of the executed computer security threat procedure. 
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26. (Previously Amended) The method of Claim 1, further comprising the steps of: 

identifying an appropriate computer to execute a step in the computer security 
threat investigation procedure; and 

identifying an appropriate computer to execute a step in the computer security 

threat response procedure. 

27. (Original) The method of Claim 26, further comprising the steps of: 

accessing a table comprising computer locations and step information; 
comparing a step to be executed with computer locations listed in the table; 
determining a match exists between the step to be executed and the computer 
locations; and 

if one or more matches exist, displaying the matching information or automatically 
selecting an appropriate location. 

28. (Previously Amended) The method of Claim 27, wherein the table further comprises 
Internet address ranges, the method further comprising the step of comparing an Internet address 
of a source of a computer security incident with the Internet address ranges of the table. 

29. (Original) The method of Claim 27, further comprising the step of providing data to 
enable display of an appropriate substitute computer location if a match does not exist. 

30. (Previously Amended) The method of Claim 27, further comprising the step of 
identifying an appropriate computer to execute a step in either an investigation or a computer 
security threat response procedure, wherein the computer is strategically located relative to a 
source of a computer security incident. 

31. (Previously Amended) The method of Claim 1, wherein each computer security 
threat procedure comprises one or more steps, the method further comprising the step of 
executing one or more program modules in response to a selection of a computer security threat 
procedure. 
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32. (Original) The method of Claim 31, wherein the one or more program modules 
comprise one or more software application programs that can operate as stand alone programs. 

33. (Original) The method of Claim 31 .wherein at least one program module comprises 
an off-the-shelf software application program. 

34. (Previously Amended) The method of Claim 1, wherein the computer security 
incident information comprises predefined attributes. 

35. (Original) The method of Claim 34, wherein the predefined attributes comprise any 
one of a computer incident severity level, a computer incident category, a computer incident 
scope value, a computer incident status value, an attacker internet protocol (IP) address value, an 
attacker ISP name, an attacker country, an external attacker status value, an incident type vale, a 
vulnerabilities level, an entry point value, an attack profile value, a target networks value, a 
target firewalls value, a target hosts value, a target services value, a target accounts value, and a 
damage type value. 

36. (Previously Amended) The method of Claim 1, wherein the computer security 
incident information comprises attributes that are at least one of viable and computer-generated. 

37. (Previously Amended) The method of Claim 35, further comprising the step of 
determining whether a computer security incident comprises an actual breach in security based 
upon value of its attributes. 

38. (Previously Amended) The method of Claim 1, further comprising the steps of: 

receiving a selection for a step of a computer security threat procedure; and 
generating a pre-execution warning prior to the selection of a step. 
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39. (Previously Amended) The method of Claim 1 , further comprising the steps of: 

receiving a selection for a step of a computer security threat procedure; 
executing the selected step; and 

suggesting an appropriate subsequent step in the computer security threat 

procedure. 

40. (Previously Amended) The method of Claim 1, wherein each step is performed 
automatically in response to a detected computer security incident. 

41 w (Original) The method of Claim 1, further comprising the steps of: 

providing data to enable display of a plurality of computer tools in a non-procedural 

manner; 

receiving a selection for a computer tool; and 
executing the selected computer tooL 
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42. (Currently Amended) A method for organizing and recording reactions to one or 
more computer security incidents, comprising the steps of: 

classifying the computer security incident information; 

automatically suggesting one or more computer security threat investigation 
procedures based on a classification of the computer security incident information; 

providing data to onnblo display displaying [[of]] the one or more computer security 
threat investigation procedures for investigating one of suspicious computer activity that occur 
prior to a computer security threat and an actual computer security threat; 

providing data to enable display displaying [[of]] one or more computer security 
threat response procedures for responding to one of suspicious computer activity comprising one 
or more attacks received from a network computer that occur prior to a computer security threat 
and an actual computer security threat; 

in response to a selection of a computer security threat investigation procedure, 
providing data to enable display displaying [[of]] one or more corresponding investigation steps; 

in response to a selection of a computer security threat response procedure, 
providing data to cnablo dioplay di$playing [[of]] one or more corresponding response steps; 
[[and]] 

receiving a selection of one or more investiga tion steps and one or more 
corresponding response steps; 

g e n e rating storing a permanent record comprising computer security incident 
information, executed investigation step and result information, executed response step and 
result information, and corresponding date and time $tamps. 

43. (Previously Amended) The method of Claim 42, further comprising the step of 
recording executed investigation step information and results of the executed investigation step 
with at least one of a date and time stamp in response to a selection of a step of computer 
security threat investigation procedure. 
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44. (Previously Amended) The method of Claim 42, further comprising the step of 
recording executed response step information and results of the executed response step with at 
least one of a date and time stamp in response to a selection of a step of a computer security 
threat response procedure. 

45. (Previously Amended) The method of Claim 42, further comprising the steps of: 

providing data to enable display of a plurality of computer security threat 

procedures; 

in response to receiving a selection of a computer security threat procedure, 
displaying a plurality of steps; 

obtaining modification information for the selected computer security threat 

procedure; and 

storing the modification information. 

46. (Previously Amended) The method of Claim 42, further comprising the step of at 
least one of adding or deleting a step in a computer security threat procedure. 

47. (Previously Amended) The method of Claim 42, further comprising the steps of: 

providing data to enable display of a plurality of steps of a computer security threat 

procedure; 

in response to selection of a step, providing data to enable display of detailed 
information fields related to the selected step; 

obtaining modification information for the selected step; and 
storing the modification information. 

48. (Previously Amended) The method of Claim 42, further comprising the step of at 
least one of adding, deleting, or modifying a step in a computer security threat procedure. 
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49. (Original) The method of Claim 42, further comprising the steps of: 

obtaining computer security incident search information; and 
providing data to enable display of one or more computer security incidents 
matching the computer security incident search information. 

50. (Original) The method of Claim 42, further comprising the steps of: 

tracking multiple computer security incidents; and 

storing information for each computer security in accordance with at least one of - 
date and time stamp. 



[The Remainder of this Page has been intentionally left blank.] 
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5L (Currently Amended) A method for selecting a computer that is strategically located 
relative to a source of a computer security incident, comprising the steps of: 

accessing a table comprising computer locations, Internet address ranges associated 
with the computer locations, and computer security threat procedure otop information associated 
with the computer locations, the computer security threat procedure Gtop information comprising 
one or more steps for one of investigating and responding to one of suspicious computer activity 
comprising one or more attacks received from a network computer that occur prior to a computer 
security threat and an actual computer security threat, the computer locations identifying devices 
that are able to perform the computer security threat procedure otop information ; 

comparing a computer security threat procedure step to be executed and a target 
Internet address with computer locations and Internet address ranges listed in the table; 

determining if a match exists between an Internet address of a computer security 
incident and the Internet address ranges listed in the table; [[and]] 

automatically selecting a computer to execute the computer security threat 
procedure step based upon the matching step, wherein the computer has a location and is capable 
of interacting with the Internet address of the computer security incident^and 

storing a permanent record comprising the executed computer security threat 
procedure and result information, and corresponding date and time stamps . 

52, (Original) The method of Claim 51, further comprising the step of: 

if one or more matches exist, providing data to enable display of the matching 

information-, 

if a match does not exist, providing data to enable display of one or more 
appropriate substitute computer locations or automatically selecting an appropriate location. 

53. (Currently Amended) The method of Claim 51, wherein the computer security threat 
procedure step comprises a portion of a computer security threat response procedure, wherein the 
computer is strategically located relative to a source of a computer security incident. 
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54. (Currently Amended) The method of Claim 51, wherein the computer security threat 
procedure step- comprises a portion of a computer security threat investigation procedure, 
wherein the computer is strategically located relative to a source of a computer security incident. 

55. (Currently Amended) The method of Claim 51, wherein each computer security 
threat procedure step to be executed in a computer security threat procedure comprises one or 
more off-the-shelf security application programs. 



[The Remainder of this Page has been intentionally left blank.] 
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56. (Currently Amended) A method for generating a permanent record of one of more 
computer security incidents and reactions thereto, comprising the steps of: 

receiving computer security incident information indicating one of suspicious 
computer activity comprising one or more attacks received from a network computer that occur 
prior to a computer security threat and an actual computer security threat; 

classifying the computer security incident information; 

displaying one or more tools for one of investigating and responding to computer 
security incident information; 

automatically suggesting ([a]] one or more tools [[tool]} based on a classification of 
the computer security incident information; 

receiving a selection of a suggested tool; 

in response to a selection of a tool, forwarding data for execution of the tool; and 
forwarding data for g e nerating storing a permanent record comprising computer 

security incident information, executed tool information, and corresponding date and time 

stamps. 

57. (Original) The method of Claim 56, further comprising the step of displaying the 
tools as icons on a computer display. 

58. (Original) The method of Claim 56, further comprising the step of displaying a - 
plurality of tools that are selectable from a menu. 

59. (Original) The method of Claim 31, further comprising the step of installing the one 
or more program modules within a single program on a server, 

60. (Original) The method of Claim 31, further comprising the step of installing the one 
or more program modules on a single server. 

61 . (Original) The method of Claim 3 1 , further comprising the step of installing the one 
or more program modules on a computer that is a target of a computer incident 



-14- 
PAGE 20/32 ' RCVD AT 1/8(2007 7:09:22 PM [Eastern Standard Time] 1 SVR:llSPTO-EFXRF-2/7 ' DN)S:2738300 " CSID:404 572 5105 * DURATION (mm-ss):08-36 



JAN 08 2007 19:08 FR KING 8r SPALDING LLP404 572 5105 TO 6054561050089157 P. 21 



Application No. 09/685,285 

62. (Original) The method of Claim 31, farther comprising the step of installing the one 
or more computer modules on both a computer that is a target of a computer incident and a 

server, 

63. (Original) The method of Claim 27, wherein the table further comprises Internet 
address ranges, the method further comprising the step of comparing an Internet address of a 
computer subject to an attack or security breach with the Internet address ranges of the table. 

64. (Previously Amended) The method of Claim 27, wherein the table further comprises 
Internet address ranges, the method further comprising the step of comparing Internet address of 
a witness to a computer security incident with the Internet address ranges of the table. 

65. (Previously Amended) The method of Claim 27, wherein the table further comprises 
Internet address ranges, the method further comprising the step of comparing an Internet address 
of an accomplice to a computer security incident with the Internet address ranges of the table. 
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